In this hacking hands-on training, the most critical risks in web applications are presented to teach frontend and backend developers how to develop a secure web application.
After introducing the Open Web Application Security Project Top 10 2021 (OWASP Top 10 2021), a selection of the application security risks listed in the OWASP Top 10 will be described step by step.
Almost every security risk of the selection has its own folder with certain challenges to solve. In this challenges, the participants of the course have to find various security flaws in the OWASP Juice Shop, which is an intentionally vulnerable web application. The descriptions of the challenges include tips to help finding the right way of hacking the application.
Always read at first only one hint, then try to solve the challenge. If you don't have a clue of going forward, then read the following tip.
IMPORTANT: It is recommended to do the security training in the right order, as the challenges might depend on each other.
Follow the setup instructions on https://github.com/juice-shop/juice-shop#setup
(Installation using Docker Container recommended).
docker pull bkimminich/juice-shop:v14.2.1
docker run --rm -p 3000:3000 bkimminich/juice-shop:v14.2.1
Follow the setup instructions on https://www.zaproxy.org/download/.
Starting with version 2.8.0, OWASP ZAP includes a Heads Up Display. Look into the corresponding OWASP ZAP HUD github project to learn more about this fascinating feature.
To make calls to REST API of the Juice Shop via a comfortable UI you may use Postman.
Follow the setup instructions on https://www.postman.com/downloads.
If you are more used to make calls to REST API of the Juice Shop via command line you may try Httpie.
Follow the setup instructions on https://httpie.org.
If you are more used to make calls to REST API of the Juice Shop via command line you also may try the classic Curl.
Follow the setup instructions on https://curl.haxx.se.
The challenges are categorized according to the OWASP Top 10 (2021) list.
- A01: Broken Access Control
- A02: Cryptographic Failures
- A03: Injection
- A04: Insecure Design
- A05: Security Misconfiguration
- A06: Vulnerable and Outdated Components
- A07: Identification and Authentication Failures
- A08: Software and Data Integrity Failures
- A09: Security Logging and Monitoring Failures
- A10: Server Side Request Forgery
- Complete documentation about OWASP Juice Shop
- The Page of the OWASP Juice Shop Project in The OWASP Foundation Wiki.
- The OWASP Top 10: Description of each application security risk in OWASP
- Postman API Development Environment
- Httpie Http command line client
- Curl Http command line client
- OWASP ZAP Web Security Proxy & Scanner